CVE-2024-21667: 
PHP vulnerability analysis and mitigation

CVE-2024-21667 affects the Customer Management Framework (pimcore/customer-data-framework) for Pimcore, which is used for managing customer data. The vulnerability allows an authenticated but unauthorized user to access the GDPR data extraction feature and query customer information, leading to potential exposure of sensitive data. This security issue was discovered and disclosed on January 10, 2024, and has been patched in version 4.0.6 (GitHub Advisory).

The vulnerability stems from improper access control implementation in the GDPR data extraction functionality. Specifically, permissions were not enforced when accessing the /admin/customermanagementframework/gdpr-data/search-data-objects endpoint. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality (NVD, GitHub Advisory).

The vulnerability allows unauthorized users to access Personally Identifiable Information (PII) of customers stored in the system. Any authenticated user, regardless of their permission level, could query and retrieve sensitive customer data through the GDPR data extraction feature (GitHub Advisory).

The vulnerability has been patched in version 4.0.6 of the pimcore/customer-data-framework. Organizations using affected versions should upgrade to version 4.0.6 or later to address this security issue. The fix implements proper permission checks by adding the 'gdpr_data_extractor' permission requirement (GitHub Patch).